Mar. 30, 2012
Merchant processor Global Payments Inc. confirmed late Friday afternoon that it sustained a data breach following press accounts earlier in the day of a breach variously reported as affecting 50,000 to potentially millions of payment cards.
In a press release, Atlanta-based Global “announced it identified and self-reported unauthorized access into a portion of its processing system. In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information-technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter.”
“It is reassuring that our security processes detected an intrusion,” Global’s chairman and chief executive Paul R. Garcia said in the release. “It is crucial to understand that this incident does not involve our merchants or their relationships with their customers.”
A Global Payments spokesperson would not comment beyond the release. The company said it would hold an investor conference call at 8:00 a.m. Eastern time Monday.
Earlier Friday, reports of a possible breach at Global triggered a sell-off in its stock. The New York Stock Exchange halted trading shortly before noon Eastern with Global’s share price off 9% from Thursday’s close.
The KrebsOnSecurity blog written by former Washington Post reporter Brian Krebs broke the story early Friday, saying that Visa Inc. and MasterCard Inc. last week warned financial institutions about a possible breach involving a third-party processor between Jan. 21 and Feb. 25. Fraudsters apparently gained full Track 1 and Track 2 data from payment card magnetic stripes, which would enable them or buyers of that data to make counterfeit cards. Sources told Krebs the breach could be “massive,” possibly affecting as many as 10 million card numbers.
Later in the morning, The Wall Street Journal, reported online that Global Payments “has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.” Krebs then updated his post saying sources told him the breach may be related to Dominican gangs in and around New York City, and that it was mostly affecting commercial cards.
Meanwhile, Gartner Inc. technology analyst Avivah Litan, a close follower of payment card security technology, reported in a blog that, based on reports from her card-industry sources, fraudsters have started using card numbers stolen in the breach and perpetrating fraud that “involves a taxi and parking garage company in the New York City area.” The hackers may have gained entry to the company’s inadequately protected system by correctly answering authentication questions, Litan said. She also wrote that industry executives she had spoken with “are seeing signs of this breach mushroom.”
Krebs said payment processor PSCU, which serves credit unions, on Wednesday alerted 482 credit unions that appear to have had cards impacted by the breach, and that 56,455 Visa or MasterCard accounts were compromised. The processor said it detected fraud on 876 accounts, fraud that was geographically dispersed, Krebs reported.
Visa, MasterCard and Discover Financial Services all issued statements that their own systems had not been compromised. Visa’s statement said the network “is aware of a potential data compromise incident at a third-party entity affecting card account information from all major card brands.”
SPECIAL FEATURERead Digital Transactions Online